guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNU-linux-libre] Free firmware - A redefinition of the term and a n

From: David Craven
Subject: Re: [GNU-linux-libre] Free firmware - A redefinition of the term and a new metric for it's measurement.
Date: Mon, 13 Feb 2017 23:48:19 +0100 
> Is the vendor always trustworthy?

I agree with you. But the thing is that we already bought the device.
It says on the label that the device does A and only A at time x when
we bought the device. The question is do we need to add more trust
than that to the equation.

If we look at security as a function we are trying to maximize, we
already introduced one axiom, that device does A and only A at time x.
By putting the firmware in ROM instead of fixing it with a hash we are
introducing a new axiom. That our previous axiom is time invariant.

Also consider this:
Device comes with firmware A 2015. The vendor creates an update B. In
2016 the same device comes with firmware B. You were happy with the
device in 2015 but your laptop was stolen or broke. So you buy the
same device in 2016. That is a hidden firmware update. How is that
different than knowing that you updated your firmware? In this case
you simply pretend that you have not updated your device, but the
truth is - you really don't know.

So the more axioms (assumptions) our security is based on - the weaker
is the house of cards we are building.

But I'm totally fine with burring this discussion.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]